Guides · Email security
SPF, DKIM, and DMARC: email authentication for small business, explained
Here is an uncomfortable fact most business owners never hear: by default, anyone on the internet can send email that looks like it came from your domain. No hacking required. Nothing needs to be “breached.” Unless you have told the world’s mail servers who is allowed to send as you, they will accept a forgery as readily as the real thing.
The fix is three small DNS records — SPF, DKIM, and DMARC. They are free, they are the single highest-payoff hour in small-business security, and the vast majority of companies have at least one of them missing or misconfigured.
Why it matters
When your domain has no email authentication, three things happen:
- Criminals can impersonate you. The classic scam is an “invoice” or “please update our banking details” email sent to your clients, from a perfect copy of your address. You find out when a customer wires money to a stranger.
- Your own legitimate email lands in spam. Gmail and Outlook increasingly require authentication to trust a sender. Missing records quietly hurt your deliverability.
- You have zero visibility. Without DMARC reporting, you never even learn that spoofing is happening in your name.
Three records, one job
The three records work as a team, and every major mail provider checks all three on the way in.
- SPF publishes which servers are allowed to send mail for your domain.
- DKIM adds a tamper-proof cryptographic signature to every message you send.
- DMARC sets the policy — what a receiver should do with a message that fails — and sends you reports.
SPF — the guest list
SPF (Sender Policy Framework) is a single DNS TXT record that lists the servers permitted to send on your behalf. A Microsoft 365 domain, for example, often looks like:
v=spf1 include:spf.protection.outlook.com -all
Two details decide whether it actually protects you:
- The ending matters most.
-allmeans “reject anything not on this list” (what you want).~allis a softer “treat as suspicious.” Never publish+all— it authorizes every server on earth to send as you, which is worse than having no record at all. - Mind the 10-lookup limit. SPF allows only ten DNS lookups; stacking too many
include:statements (one per tool — your CRM, your invoicing app, your newsletter) silently breaks the record. Consolidation matters.
You may have exactly one SPF record. Two is a configuration error that fails validation.
DKIM — the signature
DKIM (DomainKeys Identified Mail) signs each outgoing message with a private key held by your mail server. The matching public key is published in DNS at a named selector. The receiving server recomputes the signature and confirms two things: the message genuinely came from your domain, and it wasn’t altered in transit.
DKIM is what lets a receiver trust the content, not just the sending server — and it’s what survives when a message is forwarded.
DMARC — the policy and the visibility
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties the other two together with a record at _dmarc.yourdomain.com. It does two jobs:
- Sets the policy for messages that fail SPF/DKIM alignment:
p=none(monitor only),p=quarantine(send to spam), orp=reject(block outright). - Sends you reports. The
rua=address receives daily aggregate reports showing every source sending as your domain — legitimate and not.
DMARC is the piece that turns SPF and DKIM from “configured” into “enforced and monitored.”
The right rollout order
The order is what separates a clean deployment from a self-inflicted outage:
- Publish SPF and DKIM first, and confirm your real mail flows pass both.
- Start DMARC at
p=nonewith anrua=reporting address. This changes nothing for recipients — it only turns on visibility. - Read the reports for two to four weeks. Find every legitimate sender (invoicing tool, CRM, marketing platform, the accountant who sends as you) and make sure each one passes.
- Advance the policy to
p=quarantine, then finallyp=reject.
Jumping straight to p=reject is the most common mistake we clean up: it silently blocks your own newsletters, your invoicing system, or your booking tool, and no one notices until deals go quiet.
The mistakes we see most
+allon the SPF record (authorizes the whole internet).- Two SPF records instead of one.
- A forgotten third-party sender that fails once enforcement is on.
- DMARC left at
p=noneforever — visibility without protection.
Check yours in about a minute
Our free Online Health Check reads these exact records for your domain — SPF, DKIM, DMARC, and more — and returns a letter grade plus a prioritized fix list. No login, no port scans, just your public surface.
When to hand it off
Email authentication is finicky the first time and boring to maintain, which is exactly the kind of thing that quietly drifts out of date. If you’d rather it were simply handled — set up correctly and watched year-round — that’s the heart of our IT support. We do this every week.